NoelJ

Researchers Hack Intel’s VPro

snydeq writes “Security researchers from Invisible Things Lab have created software that can ‘compromise the integrity’ of software loaded using Intel’s vPro Trusted Execution Technology, which is supposed to help protect software from being seen or tampered with by other programs on the machine. The researchers say they have created a two-stage attack, with the first stage exploiting a bug in Intel’s system software. The second stage relies on a design flaw in the TXT technology itself (PDF). The researchers plan to give more details on their work at the Black Hat DC security conference next month.”

Read more of this story at Slashdot.

surely_you_cant_be_serious writes “A nationwide survey finds that most companies consider their systems vulnerable to attack. Historically, crime rates increase during recessions — and some believe that cybercrime may well follow suit, especially given massive layoffs and the dim prospects many laid-off employees face in finding a new job. ‘One thing companies can start doing is monitoring their networks on an ongoing basis so that they understand the normal pattern of data flow and usage, Brill said. In many cases, companies may not have the internal capability to do this, but outsourcing options are available. Kroll Ontrack, for instance, will be rolling out a 24/7 monitoring service for its global clients manned from a US location by professionals in early 2009.’”

Read more of this story at Slashdot.

An anonymous reader writes “Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI.”

Read more of this story at Slashdot.

An anonymous reader writes “Twitter’s been hit by a big phishing scam. Culture Crash blogger Dan Tynan says this is the end of Twitter’s innocence. Will tweets become like email, with two out of every three just worthless spam?”

Read more of this story at Slashdot.

Photographer Duane Kerzic was standing on the public platform in New York’s Penn Station, taking pictures of trains in hopes of winning the annual photo contest that Amtrak had been running since 2003. Amtrak police arrested him for refusing to delete the photos when asked, though they later charged him with trespassing. “Obviously, there is a lack of communication between Amtrak’s marketing department, which promotes the annual contest, called Picture Our Trains, and its police department, which has a history of harassing photographers for photographing these same trains. Not much different than the JetBlue incident from earlier this year where JetBlue flight attendants had a woman arrested for refusing to delete a video she filmed in flight while the JetBlue marketing department hosted a contest encouraging passengers to take photos in flight.” Kerzic’s blog has an account of the arrest on Dec. 21 and the aftermath.

Read more of this story at Slashdot.

On Elpeleg writes “The Perl Foundation has announced they are switching their version control systems to git. According to the announcement, Perl 5 migration to git would allow the language development team to take advantage of git’s extensive offline and distributed version support. Git is open source and readily available to all Perl developers. Among other advantages, the announcement notes that git simplifies commits, producing fewer administrative overheads for integrating contributions. Git’s change analysis tools are also singled out for praise. The transformation from Perforce to git apparently took over a year. Sam Vilain of Catalyst IT ’spent more than a year building custom tools to transform 21 years of Perl history into the first ever unified repository of every single change to Perl.’ The git repository incorporates historic snapshot releases and patch sets, which is frankly both cool and historically pleasing. Some of the patch sets were apparently recovered from old hard drives, notching up the geek satisfaction factor even more. Developers can download a copy of the current Perl 5 repository directly from the perl.org site, where the source is hosted.”

Read more of this story at Slashdot.

snikulin writes “My 6-year-old embedded software happily runs on kernel v2.4 on an XScale CPU. The software gets a bunch (tens of megabytes) of data from an FPGA over a PCI-X bus and pushes it out over GigE to data-processing equipment. The tool chain is based on the somewhat outdated gcc v2.95. Now, for certain technical reasons we want to jump from the ARM-based custom board to an Atom-based COM Express module. This implies that I’ll need to re-create a Linux RAM disk from scratch along with the tool chain. The functionality of the software will be essentially the same. My question: is it worth it to jump to kernel 2.6, or better to stick with the old and proven 2.4? What will I gain and what will I lose if I stay at 2.4 (besides the modern gcc compiler and the other related dev tools)?”

Read more of this story at Slashdot.

markmcb writes “My development team was recently brainstorming over finding a practical solution to the problem that’s haunted anyone who’s ever used a framework: convention vs. customization. We specifically use Rails, and like most frameworks, it’s great for 95% of our situations, but it’s creating big bottlenecks for the other 5%. Our biggest worry isn’t necessarily that we don’t know how to customize, but rather that we won’t have the resources to maintain customized code going forward; it’s quite simple to update Rails as it matures versus the alternative. What have your experiences been with this problem? Have you found any best practices to avoid digging custom holes you can’t climb out of?”

Read more of this story at Slashdot.

StrongestLink writes “In an intriguing twist on the recent Comodo CA vulnerability discussed here last week, security researcher Mike Zusman today revealed that three days prior to StartCom’s disclosure of a flaw in a Comodo reseller’s registration process, he discovered and disclosed an authentication bypass flaw to StartCom in their own registration process that allowed an attacker to submit an authorized request for any domain. During a month which was marked by the continuing paradigm shift to SSL-verified holiday shopping, the Chain of Trust continues to run off the gears, and Bruce Schneier is even commenting publicly that SSL’s site validation mission isn’t even relevant. What lies ahead for the billion-dollar CA industry?”

Read more of this story at Slashdot.

An anonymous readerwrites “On Friday the wonderfully customer centric AirTran decided to remove a family of 9 US born Muslims after a comment between two family members regarding how close to the Jet engine they had been seated. The wonderful part is that after the FBI cleared the family 2 hours later, AirTran refused to fly the family, and refused to rebook them on their way from Washington to Orlando, Florida. The family purchased additional tickets on US Airways later that day, after AirTran requested that the irate father be escorted from their booking podiums by security. This whole story highlights the pathetic customer service we are getting from the Airlines these days — they actually treat us like criminals first and ask questions later. Just don’t get me started on Delta.” It’s nice to see that stupidity still knows no bounds.

Read more of this story at Slashdot.

ancientribe writes “Security experts are cautiously on the lookout for some lesser-known but potentially lethal threats that could be more difficult to prepare for and defend against in 2009. These aren’t your typical enterprise hack attacks. They’re mainly large-scale Internet threats — attacks that knock out sections of the Internet infrastructure, radical extremist hackers, Web attacks that adversely affect online ad revenue, and even the unthinkable: human casualties as a result of a cyberattack.” Also known as the new group of things the fear mongers will use to make you do their bidding.

Read more of this story at Slashdot.

fortapocalypse writes “I’m getting paid a good salary as a Java developer and the hours are great. It is also very stable, which means something in today’s economy, especially with a family to feed. However, I’m very unmotivated both because of the work that I do, which is boring, and because the organization I work for is highly political, disorganized, and lacks accountability. I’ve done what I could to try to change things at work and have pretty much given up on that. I want to go out on my own, either starting my own company or just working as a contractor doing Java development, but I’m not sure of the best way to get started, and my family needs the stability of my current job. I’d really like to start out part-time at 5-15 hours a week to use it as supplemental income (which my family could really use at the moment), but I really don’t know where to start. I doubt many contracting agencies would be interested in a part-time worker. What would you suggest for someone in my position?”

Read more of this story at Slashdot.

Craig writes “Journalspace.com has fallen and can’t get up. The post on their site describes how their entire database was overwritten through either some inconceivable OS or application bug, or more likely a malicious act. Regardless of how the data was lost, their undoing appears to have been that they treated drive mirroring as a backup and have now paid the ultimate price for not having point-in-time backups of the data that was their business.” The site had been in business since 2002 and had an Alexa page rank of 106,881. Quantcast said they had 14,000 monthly visitors recently. No word on how many thousands of bloggers’ entire output has evaporated.

Read more of this story at Slashdot.

Brendan Gregg of Sun’s Fishworks lab has an interesting video demo up at YouTube demonstrating just how bad vibes, if expressed with sufficient volume in front of a rack full of disks, can cause a spike in disk latency. White noise, evidently, doesn’t do them much harm. (Maybe they just feel awkward to get yelled at on camera.)

Read more of this story at Slashdot.

An anonymous reader writes “New security check points in 2020 will look just like something out of the futuristic movie, The Minority Report. The idea of the new checkpoints will allow high traffic to pass through just as you were walking at a normal pace. No more waving a wand to get through checkpoints — the new checkpoint can detect if you have plans to set off a bomb before you even enter the building.”

Read more of this story at Slashdot.

Trackback this post | Feed on Comments to this post